From ab50b54169705ffa2998a3a30efde979ab846003 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Tue, 23 Jun 2020 20:06:00 +0000 Subject: [PATCH] Limit connections for static site Apache workers We've noticed that our static sites will semi-regularly have problems due to stale SSL certs served by Apache workers which predate the latest certificate replacement and haven't terminated (graceful restart only ends the running workers once they have no remaining connections). Limit the impact of this by recycling workers automatically after a reasonable (large) number of connections. This implementation is shamelessly stolen from that used in Ic377f48d1a5a3eecbcb183327c9255134c4364ab for our mirror sites. Change-Id: I2e5c0bdf012184ebbfccb086b967008bf12582ab Co-Authored-By: Clark Boylan --- .../roles/static/files/apache-connection-tuning | 14 ++++++++++++++ playbooks/roles/static/handlers/main.yaml | 7 ++++++- playbooks/roles/static/tasks/main.yaml | 9 +++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 playbooks/roles/static/files/apache-connection-tuning diff --git a/playbooks/roles/static/files/apache-connection-tuning b/playbooks/roles/static/files/apache-connection-tuning new file mode 100644 index 0000000000..8cc4e55431 --- /dev/null +++ b/playbooks/roles/static/files/apache-connection-tuning @@ -0,0 +1,14 @@ +# worker MPM +# MaxConnectionsPerChild: maximum number of requests a server process serves +# +# We've noticed that our mirrors occasionally have stale workers. This leads +# to ssl certs not being refreshed properly after reload and we've also seen +# ssl connections to round robin backend services have trouble. Restarting +# the workers so that they load up new info seems to fix this. Try and force +# that to happen regularly with a connections limit per worker. + + MaxConnectionsPerChild 8192 + + + MaxConnectionsPerChild 8192 + diff --git a/playbooks/roles/static/handlers/main.yaml b/playbooks/roles/static/handlers/main.yaml index 4c5855ec0f..fe996bf164 100644 --- a/playbooks/roles/static/handlers/main.yaml +++ b/playbooks/roles/static/handlers/main.yaml @@ -1,4 +1,9 @@ - name: Reload apache2 service: name: apache2 - state: reloaded \ No newline at end of file + state: reloaded + +- name: Restart apache2 + service: + name: apache2 + state: restarted diff --git a/playbooks/roles/static/tasks/main.yaml b/playbooks/roles/static/tasks/main.yaml index f687fe778f..fcbca23f8c 100644 --- a/playbooks/roles/static/tasks/main.yaml +++ b/playbooks/roles/static/tasks/main.yaml @@ -61,6 +61,15 @@ state: present name: headers +- name: Copy apache tuning + copy: + src: apache-connection-tuning + dest: /etc/apache2/conf-enabled/connection-tuning.conf + owner: root + group: root + mode: 0644 + notify: Restart apache2 + - name: Make sure packaged default site disabled command: a2dissite 000-default.conf args: